Subject: Re: [email@example.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
To: None <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 04/25/2002 21:52:32
[ On Thursday, April 25, 2002 at 19:38:45 (-0400), firstname.lastname@example.org wrote: ]
> Subject: Re: [email@example.com: [Global InterSec 2002041701] Sudo Password Prompt Vulnerability.]
> So I'm going to assume that su -c is more appropriate then sudo.
It's better in that it is very hard to mis-configure it to give away
more privileges than necessary -- it effectively gives them all away at
once and you're not lulled into a false sense of security. You know
100% that when someone knows the password for the account in question
(usually root) then you know you have to trust them with the full
privileges of that account (and of course audit their activities to
ensure they don't overstep your trust).
> By sudo users being lazy, you mean that they have use of all commands
> run as root with no password, right?
Well that's part of it -- but the real issue is with assuming you have
to be root to do many things.... it often only takes a small amount of
additional effort to delegate something to a special user and allow
authorised real users to 'su' to that user. Sometimes even a special
group will do and giving the authorised users membership in that group
will allow them to manage whatever it is without using any passwords.
Slowly systems are again moving in the direction of coming with samples
of such special users configured by default. For example recently
NetBSD-current comes configured to run 'named' under the (not so well
chosen) user "named". Anyone still running 'named' as root are taking
enormous and unnecessary risks, yet still many systems come with 'named'
configured to run as root by default (even NetBSD-1.5.x!).
> For some things, it seems that you
> will have to log in as root or at least pretend, via su or sudo.
yes, for a very few things....
> I'm curious as to why so many publications these days tell users to
> use sudo rather then su.
Because it's easy (too easy), and because it's a generic solution that
generic publications can recommend without worrying that someone won't
be able to make it work.
Also because a lot of people who write about such things are not
security experts. They are only trying to show people how to get the
job done, not necessarily how to get it done securely. If you read any
of the recent plethora of books and articles about building secure
software (eg. one of that title by Viega & McGraw, "Secrets & Lies" by
Schneier, and so on) then you'll see just how far we have yet to go
before networked computing systems will truly be secure and safe to use.
I think sudo can be used securely for very limited purposes, at least
that's what people keep telling me. However I've never had the occasion
to try to set it up that securely -- I take the other approach and
divide services into special users and groups and carefully delegate
privileges to those special IDs.
Greg A. Woods
+1 416 218-0098; <firstname.lastname@example.org>; <email@example.com>; <firstname.lastname@example.org>
Planix, Inc. <email@example.com>; VE3TCP; Secrets of the Weird <firstname.lastname@example.org>